package SV_HASH_NO_SALT;

public class Vulnerable {
    /*
     * Adds a new user; stores login and password hash.
     */
    public void addUser(String login, byte[] password) {
        try {
            MessageDigest md = MessageDigest.getInstance("MD5");









            md.update(password); // < -- calculate hash for the password









            byte[] hash = md.digest();
            storeHashString(login, Hex.encodeHexString(hash));
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    /*
     * Validates user login information. Returns true if user exists, and
       entered password hash matches stored password hash;
     * otherwise returns false.
     */
    public boolean login(String login, byte[] password) {
        try {
            String storedHash = readHashString(login);
            if (storedHash != null) {
                MessageDigest md = MessageDigest.getInstance("MD5");









                md.update(password); // < -- calculate hash for the password









                byte[] hash = md.digest();
                return MessageDigest.isEqual(hash, Hex.decodeHex(storedHash.toCharArray()));
            } else {
                return false;
            }
        } catch (NoSuchAlgorithmException | DecoderException e) {
            throw new IllegalStateException(e);
        }
    }

 . . .

         hashManager.addUser("Alice", "changeit".getBytes());
        hashManager.addUser("Bob", "changeit".getBytes());
}
